<template name="newAdminIdentity">
  <h1>
    <ul class="admin-breadcrumbs">
      <li>{{#linkTo route="newAdminRoot"}}Admin{{/linkTo}}</li>
      <li>Identity providers</li>
    </ul>
  </h1>

  <p>Choose which services users may use to identify themselves.  Anyone can log in, but only users you invite will be able to install apps or create grains.</p>
  {{>adminIdentityProviderTable idpData=idpData}}

  <p>
  To configure organization membership and settings, see
  {{#linkTo route="newAdminOrganization"}}organization settings{{/linkTo}}.
  </p>
</template>

<template name="adminIdentityProviderConfigureEmail">
{{#modalDialogWithBackdrop onDismiss=onDismiss}}
  <h2>Email login configuration</h2>

  {{#if errorMessage}}
    {{#focusingErrorBox}}
      Failed to save changes: {{errorMessage}}
    {{/focusingErrorBox}}
  {{/if}}

  <form class="setup-idp-form">
    {{#if emailUnconfigured}}
      <p class="flash-message warning-message">Note: to use email login, you'll need to configure email delivery after this.</p>
    {{/if}}

    <p>Email login has no additional configuration options.</p>
  </form>

  <div class="idp-modal-button-row">
    <button class="idp-modal-save">
      {{#if emailLoginEnabled}}
      Save
      {{else}}
      Enable
      {{/if}}
    </button>
    <button class="idp-modal-cancel">
      Cancel
    </button>
    {{#if emailLoginEnabled}}
    <button class="idp-modal-disable">
      Disable
    </button>
    {{/if}}
  </div>
{{/modalDialogWithBackdrop}}
</template>

<template name="googleLoginSetupInstructions">
  <p>
    First, you'll need to get a Google Client ID. Follow these steps:
  </p>
  <ol>
    <li>Visit <a href="https://console.developers.google.com/" target="blank">https://console.developers.google.com/</a></li>
    <li>"Create Project", if needed. Wait for Google to finish provisioning.</li>
    <li>On the left sidebar, go to "Credentials" and, on the right, "OAuth consent screen". Make sure to enter an email address and a product name, and save.</li>
    <li>On the left sidebar, go to "Credentials".  Click the "Create credentials" button, then select "OAuth client ID" as the type.</li>
    <li>Select "Web application" as your application type.</li>
    <li>Set Authorized Javascript Origins to: <span class="idp-config-url">{{siteUrlNoSlash}}</span></li>
    <li>Set Authorized Redirect URI to: <span class="idp-config-url">{{siteUrlNoSlash}}/_oauth/google</span></li>
    <li>Finish by clicking "Create".</li>
  </ol>
</template>

<template name="adminIdentityProviderConfigureGoogle">
{{#modalDialogWithBackdrop onDismiss=onDismiss}}
  <h2>Google login configuration</h2>

  {{#if formerBaseUrl}}
    <p class="flash-message warning-message" tabindex="-1">
      This server moved from <code>{{ formerBaseUrl }}</code> to <code>{{ siteUrlNoSlash }}</code>.
      You'll need to visit
      <a target="_blank" href="https://console.developers.google.com/">https://console.developers.google.com/</a>
      and update the "Authorized Javascript Origins" and "Authorized Redirect URI" for this Client ID to
      include the values below.
    </p>
  {{/if}}

  {{#if errorMessage}}
    {{#focusingErrorBox}}
      Failed to save changes: {{errorMessage}}
    {{/focusingErrorBox}}
  {{/if}}

  <form class="setup-idp-form">
    {{> googleLoginSetupInstructions "" }}

    <p>Then, copy over your Client ID and Client secret below:</p>

    <div class="form-group">
      <label>
        Client ID:
        <input type="text" name="clientId" value="{{clientId}}"/>
      </label>
    </div>
    <div class="form-group">
      <label>
        Client secret:
        <input type="text" name="clientSecret" value="{{clientSecret}}"/>
      </label>
    </div>
  </form>

  <div class="idp-modal-button-row">
    <button class="idp-modal-save" disabled="{{saveDisabled}}">
      {{#if googleEnabled}}
      Save
      {{else}}
      Enable
      {{/if}}
    </button>
    <button class="idp-modal-cancel">
      Cancel
    </button>
    {{#if googleEnabled}}
    <button class="idp-modal-disable">
      Disable
    </button>
    {{/if}}
  </div>
{{/modalDialogWithBackdrop}}
</template>

<template name="githubLoginSetupInstructions">
  <p>
    First, you'll need to get a Github Client ID and Client secret. Follow these steps:
  </p>
  <ol>
    <li>Visit <a href="https://github.com/settings/applications/new" target="blank">https://github.com/settings/applications/new</a></li>
    <li>Set Homepage URL to: <span class="idp-config-url">{{siteUrl}}</span></li>
    <li>Set Authorization callback URL to: <span class="idp-config-url">{{siteUrl}}_oauth/github</span></li>
  </ol>
</template>

<template name="adminIdentityProviderConfigureGitHub">
{{#modalDialogWithBackdrop onDismiss=onDismiss}}
  <h2>GitHub login configuration</h2>

  {{#if formerBaseUrl}}
    <p class="flash-message warning-message" tabindex="-1">
      This server moved from <code>{{ formerBaseUrl }}</code> to <code>{{ siteUrl }}</code>.
      You'll need to visit
      <a target="_blank" href="https://github.com/settings/developers">https://github.com/settings/developers</a>
      and update the Homepage URL and Authorization callback URL for this application to the values below.
    </p>
  {{/if}}

  <form class="setup-idp-form">
    {{> githubLoginSetupInstructions "" }}

    <p>Then, copy over your Client ID and Client secret below:</p>
    <div class="form-group">
      <label>
        Client ID:
        <input type="text" name="clientId" value="{{clientId}}"/>
      </label>
    </div>
    <div class="form-group">
      <label>
        Client secret:
        <input type="text" name="clientSecret" value="{{clientSecret}}"/>
      </label>
    </div>
  </form>

  <div class="idp-modal-button-row">
    <button class="idp-modal-save" disabled="{{saveDisabled}}">
      {{#if githubEnabled}}
      Save
      {{else}}
      Enable
      {{/if}}
    </button>
    <button class="idp-modal-cancel">
      Cancel
    </button>
    {{#if githubEnabled}}
    <button class="idp-modal-disable">
      Disable
    </button>
    {{/if}}
  </div>
{{/modalDialogWithBackdrop}}
</template>

<template name="adminIdentityProviderConfigureLdap">
{{#modalDialogWithBackdrop onDismiss=onDismiss}}
  <h2>LDAP login configuration</h2>

  {{#if errorMessage}}
    {{#focusingErrorBox}}
      Failed to save changes: {{errorMessage}}
    {{/focusingErrorBox}}
  {{/if}}

  <form class="setup-idp-form">
    <div class="form-group">
      <label>LDAP server URL:
        <input type="text" name="ldapUrl" value="{{ldapUrl}}" />
      </label>
      <span class="form-subtext">
        e.g. <code>ldap://ldap.example.com:389</code>.  Use port 636 for SSL.
      </span>
    </div>

    <div class="form-group">
      <label>Bind user DN
        <input type="text" name="ldapSearchBindDn" value="{{ldapSearchBindDn}}"/>
      </label>
      <span class="form-subtext">
        The DN to bind as when searching for a user in the tree, e.g.
        <code>cn=admin,ou=users,dc=example,dc=com</code>.  Optional,
        but needed if your server doesn't allow unauthenticated searches.
      </span>
    </div>

    <div class="form-group">
      <label>Bind user password
        <input type="password" name="ldapSearchBindPassword" value="{{ldapSearchBindPassword}}"/>
      </label>
      <span class="form-subtext">
        Optional, needed if specifying bind DN above.
      </span>
    </div>

    <div class="form-group">
      <label>Base DN
        <input type="text" name="ldapBase" value="{{ldapBase}}"/>
      </label>
      <span class="form-subtext">
        The root object under which to search for user account nodes, e.g.
        <code>ou=users,dc=example,dc=com</code>
      </span>
    </div>

    <div class="form-group">
      <label>LDAP username attribute
        <input type="text" name="ldapSearchUsername" value="{{ldapSearchUsername}}"/>
      </label>
      <span class="form-subtext">
        The LDAP attribute on a user object which represents the user's
        username (what they will enter in the username field when signing in).
      </span>
    </div>

    <div class="form-group">
      <label>LDAP given name attribute
        <input type="text" name="ldapNameField" value="{{ldapNameField}}"/>
      </label>
      <span class="form-subtext">
        The LDAP attribute on a user object which represents the user's full display name.
      </span>
    </div>

    <div class="form-group">
      <label>LDAP email attribute
        <input type="text" name="ldapEmailField" value="{{ldapEmailField}}"/>
      </label>
      <span class="form-subtext">
        The LDAP attribute on a user object which represents the user's email address.
      </span>
    </div>

    <div class="form-group">
      <label>Additional LDAP filter criteria
        <input type="text" name="ldapFilter" value="{{ldapFilter}}"/>
      </label>
      <span class="form-subtext">
        An optional LDAP query fragment that will be included in the user
        search. This is not commonly used. See <a target="_blank" href="http://www.ietf.org/rfc/rfc2254.txt">RFC2254</a>.
      </span>
    </div>

    <div class="form-group">
      <label>LDAP CA certificate
        <textarea name="ldapCaCert" value="{{ldapCaCert}}" placeholder="-----BEGIN CERTIFICATE-----
MIID...
-----END CERTIFICATE-----"></textarea>
      </label>
      <span class="form-subtext">
        This is only necessary if your server supports SSL and is using a private CA not in the common trusted set. Note that it does NOT work to enter the LDAP server's own certificate here -- it must be the certificate of a CA which has signed the LDAP server's certificate.
      </span>
    </div>

  </form>

  <div class="idp-modal-button-row">
    <button class="idp-modal-save" disabled="{{saveDisabled}}">
      {{#if ldapEnabled}}
      Save
      {{else}}
      Enable
      {{/if}}
    </button>
    <button class="idp-modal-cancel">
      Cancel
    </button>
    {{#if ldapEnabled}}
    <button class="idp-modal-disable">
      Disable
    </button>
    {{/if}}
  </div>
{{/modalDialogWithBackdrop}}
</template>

<template name="adminIdentityProviderConfigureSaml">
{{#modalDialogWithBackdrop onDismiss=onDismiss}}
  <h2>SAML login configuration</h2>

  <p>
    Your SAML IDP should be configured to return a persistent nameID. In addition, if you are not
    using Active Directory, you <strong>must</strong>
    configure your IDP to provide two extra attributes, <code>email</code> and <code>displayName</code>.
  </p>

  <p>
    The Service URL of this server is: <code>{{ serviceUrl }}</code>
  </p>

  <p>
    The Service Logout URL of this server is: <code>{{ logoutUrl }}</code>
  </p>

  <p>
    If your SAML IDP supports reading the service provider metadata from a URL, then you can point it at: <code><a href="{{configUrl}}" target="_blank">{{ configUrl }}</a></code>
  </p>

  {{#if errorMessage}}
    {{#focusingErrorBox}}
      Failed to save changes: {{errorMessage}}
    {{/focusingErrorBox}}
  {{/if}}

  <form class="setup-idp-form">
    <div class="form-group">
      <label>SAML provider entry point URL:
        <input type="text" name="entryPoint" value="{{samlEntryPoint}}" placeholder="https://YOUR_SAML_PROVIDER.com/sso/saml" />
      </label>
    </div>

    <div class="form-group">
      <label>SAML provider logout URL (optional):
        <input type="text" name="logout" value="{{samlLogout}}" placeholder="https://YOUR_SAML_PROVIDER.com/sso/saml/SingleLogoutService" />
      </label>
    </div>

    <div class="form-group">
      <label>SAML cert for above provider:
        <textarea type="text" name="publicCert" value="{{samlPublicCert}}" placeholder="base64 encoded cert (e.g. MIID...8F==)"></textarea>
      </label>
    </div>

    <div class="form-group">
      <label>Entity ID:
        <input type="text" name="entityId" value="{{samlEntityId}}" placeholder="{{exampleEntityId}}" />
      </label>
    </div>
  </form>

  <div class="idp-modal-button-row">
    <button class="idp-modal-save" disabled="{{saveDisabled}}">
      {{#if samlEnabled}}
      Save
      {{else}}
      Enable
      {{/if}}
    </button>
    <button class="idp-modal-cancel">
      Cancel
    </button>
    {{#if samlEnabled}}
    <button class="idp-modal-disable">
      Disable
    </button>
    {{/if}}
  </div>
{{/modalDialogWithBackdrop}}
</template>

<template name="adminIdentityProviderTable">
{{!-- Expects an empty data context. --}}
<div class="identity-provider-table" role="grid">
  <div class="idp-table-header" role="rowgroup">
    <div class="idp-header-row" role="row">
      <span class="idp" role="rowheader">Identity provider</span>
      <span class="idp-status" role="rowheader">Status</span>
    </div>
  </div>
  <div class="idp-table-rows" role="rowgroup">
  {{#each idp in idpData}}
    {{> adminIdentityRow idp=idp}}
  {{/each}}
  {{#each idp in idpData}}
    {{#if currentPopupIs idp.id}}
      <div >
        {{> Template.dynamic template=idp.popupTemplate data=popupData}}
      </div>
    {{/if}}
  {{/each}}
  </div>
</div>
</template>

<template name="adminIdentityRow">
<div class="idp-table-row" role="row">
  <span class="idp" role="gridcell">{{idp.label}}</span>
  <span class="idp-status" role="gridcell">
    <span class="left">
    {{#if idp.enabled}}
      <span class="idp-enabled">Enabled</span>
    {{else}}
      <span class="idp-disabled">Not enabled</span>
    {{/if}}
    {{#if idp.resetNote}}
      {{#if idp.resetNote.baseUrlChangedFrom}}
      <span class="base-url-change-note">
        Disabled due to BASE_URL change <button class="button-link base-url-change-button">reconfigure</button>
      </span>
      {{/if}}
    {{/if}}
    </span>

    <span class="right">
      <button class="configure-idp" title="Configure {{idp.label}} login">Configure</button>
    </span>
  </span>
</div>
</template>
